Institut Mines-Télécom Towards a strategic approach to security based on game theory: Untrusted Cloud Storage Game J. Leneutre 20/01/2017
Institut Mines-Télécom
Towards a strategic approach to security based on game theory: Untrusted Cloud Storage Game
J. Leneutre 20/01/2017
Institut Mines-Télécom
Outline
• Introduction
• Untrusted Cloud Storage Game
• Resource Constrained Network Security Games
• Conclusion
01/02/17 Data Integrity Verification Game in Cloud Storage 2
Institut Mines-Télécom
Introduction
n Context: Security Risk Assessment
• Security mechanisms are available & validated • Decision making help when defining security policy or facing security incidents • With a limited defense budget
n Challenges
• How to find the best trade-off between security level and other constraints? • How to compare the respective efficiency on the security level of two distinct
defense strategies? • How to capture the dynamic between attacker and defense system?
è Need for a Quantitative Approach for security assessment
01/02/17 Data Integrity Verification Game in Cloud Storage 3
Institut Mines-Télécom
Introduction
n Existing approaches • Traditional qualitative security risk assessment methods (EBIOS, TVRA)
─ Subjective assessment results • Approaches based on an explicit modeling of attacks:
─ Examples: extension of attack trees, attack graphs, extension of BDMP to security, etc.
─ Quantitative extensions ─ Scaling problem for large systems
• Approaches based on security metrics definition ─ Examples: vulnerability prediction models, attack surface model, etc. ─ Difficult to assess the relevance of metrics
n Alternative approach based on the use of Game theory?
01/02/17 Data Integrity Verification Game in Cloud Storage 4
Institut Mines-Télécom
Introduction
n Game theory: study of conflict and cooperation between intelligent rational decision makers
01/02/17 Data Integrity Verification Game in Cloud Storage 5
n Application to security • Analytical framework for a quantitative modeling of the
interaction between malicious attackers and security administrators ü The attacker is strategic and adapts to the defender’s action ü Security risk assessment & response modeled as dynamic
resource allocation problems
➡ Decision support to security ü Where to deploy in priority the security resources given a
limited budget ? ü How to optimally configure protection or monitoring
mechanisms
Institut Mines-Télécom
Introduction
n Game Theory glossary Ø Game: description of the strategic interactions between a set of rational
players under certain rules Ø Player: a strategic decision maker (can be a person, a machine, etc.) Ø Action: a move that can be carried out by the player at any given time Ø Utility function: assigns a payoff for every possible outcome of the
game for a given player taking into account other players’ actions Ø Strategy: a plan of actions taken in the game by one player (pure/mixed) Ø Strategy profile: set of strategy for each player
01/02/17 Data Integrity Verification Game in Cloud Storage 6
Ø Rationality assumption : every player acts in a way to maximize his utility function
Ø Equilibrium: the point where players maximize their payoffs taking into account other players’ strategies
Ø Nash Equilibrium: strategy from which no player has an incentive to deviate unilaterally
Institut Mines-Télécom
Introduction
n n-player strategic game (normal form) Ø A finite set N of n players Ø For each player i ∈ N a non empty set Ai of actions, and Si the derived
set of strategies Ø For each in player i i∈ N a utility function ui
n Nash equilibrium (NE) • A strategy profile (s1*, …, si* ..., sn*) is a Nash Equilibrium if
∀i ∈ N, ∀si ∈ Si, ui(s1*, …, si* ..., sn*)≥ui(s1*, …, si ..., sn*) Ø Every agent’s strategy at NE is a best response to the other agents’
strategies at NE
01/02/17 Data Integrity Verification Game in Cloud Storage 7
Institut Mines-Télécom
Introduction
n Example: Forwarder’s dilemma
01/02/17 A strategic approach to manage security risks 8
• Utility function: ─ c (0<c<<1): cost representing the
energy and computation spent for the forwarding action
─ Reward when packet arrive at destination: 1
• Nash equilibrium: strategy profile (D,D)
• Goal: device p1 (resp. p2) wants to send a packet to his receiver r1 (resp. r2) using p2 (resp. p1) as a forwarder, in each time slot
• Players: p1 & p2 • Actions: Forward (F) or Drop (D) a packet
Institut Mines-Télécom
Introduction
n Different type of games • Zero-sum vs. Non Zero-sum • Cooperative vs Non cooperative • Static vs. Dynamic games
─ Static game (one-shot game): all players choose their strategies simultaneously ─ Dynamic game (Stackelberg game, leader & follower game): players choose
their actions in more than one stage • Complete information vs. Incomplete information game
─ Complete Information game: players know each others’ strategies and payoffs ─ Incomplete Information game (Bayesian game): information about the
characteristics (strategies, payoffs) of other players are incomplete • Deterministic vs. Stochastic games
─ Stochastic game: game involving probabilistic transitions between different states of the system
01/02/17 Data Integrity Verification Game in Cloud Storage 9
Institut Mines-Télécom
Introduction
n Security Games [Alpcan & Basar 2010] • Games that study the interaction between malicious attackers and defenders
• Mostly two Player non cooperative games: attacker and security administrator
• Pioneered in the context of intrusion detection [Alpcan & Basar 2003], and later received a large attention
• Typically in these works, the defender decides where to allocate limited available security resources
• Utility function quantifies the loss of the attacker in term of security risk impact and cost of security countermeasures
01/02/17 Data Integrity Verification Game in Cloud Storage 10
Institut Mines-Télécom
Introduction n Multiple models of Security Games: intrusion detection
01/02/17 Data Integrity Verification Game in Cloud Storage 11
Example: Comparison of game theoretic models for intrusion detection
Institut Mines-Télécom
Introduction n Example : Intrusion detection resource allocation with non
correlated security assets Game [Chen & Leneutre 2009] (1)
01/02/17 Data Integrity Verification Game in Cloud Storage 12
Defender (IDS)
Attacker
Target node Ni with N1 N2 Nn …
A • Attack (resp. not attack) target Ni with
probability pi (resp 1-pi) • Attack resource budget : P • Cost of attacking: Ca li
p1 p2 pn
D
security asset level li l1 l2 ln • Monitor (resp. not monitor) target Ni
with probability qi (resp 1-qi) • Defense resource budget : Q • Detection rate a, false alarm rate b • Cost of monitoring: Cm li • Cost of false positive: Cf li
≥ ≥ ≥
q1 q2 qn
• Strategy of defender: qi, i=1,…n such that • Utility of defender is a function of: qi, pi, li, a, b, Cm, Cf
qii=1
n
∑ ≤Q
Institut Mines-Télécom
Introduction
n Example : Intrusion detection resource allocation with non correlated security assets Game [Chen & Leneutre 2009] (2) • Contributions: model the interaction between attack and defender side as
non-cooperative game ─ Study the possible equilibrium: Nash equilibrium ─ Look for efficient NE which is favorable for defender side ─ Study the attack’s strategy at the NE ─ Study the optimal strategy of defender side to maximize its payoff at the NE
• Main results ─ Rational attacker only focus on a subset of targets, others are “self secured”
• We provide an algorithm to compute the above subset: sensible target set ─ We derive the minimum number of defenders to maintain the efficient NE ─ We derive optimal strategy for defenders to operate at the efficient NE
Institut Mines-Télécom 14 Laboratoire Commun SEIDO
Introduction
§ Real World application of game theory to (global) security • ARMOR project* (Assistant for Randomized Monitoring Over Routes) is a
real world application which calculates optimum patrol patterns ➡ Federal Air Marshal Service use it to determine the optimum schedule to guard
the most vulnerable flights and the location of checkpoints and canine patrols at LAX
➡ The Coast Guard use it to randomize patrols
➡ Used in rapid transit systems (metro, …) for fare evasion deterrence
* M.E. Taylor, C. Kiekintveld, C. Western and M. Tambe, “A Framework for Evaluating Deployed Security Systems: Is There a Chink in your ARMOR?”, Informatica, 2010
Institut Mines-Télécom
Outline
• Introduction
• Untrusted Cloud Storage Game*
• Resource Constrained Network Security Games
• Conclusion
01/02/17 Data Integrity Verification Game in Cloud Storage 15
*Joint Work: with B. Djebaili, Z. Ismail, C. Kiennert (TPT, LTCI), L. Chen (Université Paris-Sud, LRI), D. Bateman (EDF R&D)
B. Djebaili, C. Kiennert, J. Leneutre, L. Chen, Data Integrity and Availability Verification Game in Untrusted Cloud Storage, Conference on Decision and Game Theory for Security (GameSec), Los Angeles, CA, USA, November 2014, LNCS.
Z. Ismail, C. Kiennert, J. Leneutre, D. Bateman, L. Chen, Auditing a Cloud Provider's Compliance with Data Backup Requirements: A Game Theoretical Analysis, IEEE Transactions on Information Forensics and Security (TIFS), 11(8):1685-1699, August 2016.
Institut Mines-Télécom
Untrusted Cloud Storage Game Context
n Cloud features: • On-demand services • Resource pooling via multi-tenancy • Elasticity via dynamic provisioning of resources • Device and location independence ➡ Source of security problems
─ Reduced control over software and data ─ Potential Interference between security and cloud optimization mechanisms
01/02/17 Data Integrity Verification Game in Cloud Storage 16
n Security of data storage: • Privacy / Confidentiality • Integrity/availability
─ External (hackers) threats for data integrity or availability ─ Cloud Provider (CP) might behave unfaithfully ➡ Users need strong evidence that their data have not been tampered or
partially deleted
Institut Mines-Télécom
Untrusted Cloud Storage Game Problem Statement
n Case of an Untrusted CP • Economically-motivated CP that may be tempted to erase (copies of) data to use
less storage space ➡ How to check compliance of SLAs with regard to data replication?
01/02/17 Data Integrity Verification Game in Cloud Storage 17
n Efficient schemes for remote data integrity checking exist • New cryptographic protocols: proof of data possession (PDP), proof of retrieval (POR) … ➡ However verification costs computing resources
n How to optimize their use ? • Frequency of the verification process ? • Which data to check in priority ? • Are there data not worth checking at all ?
➡ Optimal verification policies needed • Trade-off between security & cost of verification • Obtained by a Game Theoretical analysis modelling interactions between Verifier & CP
Institut Mines-Télécom
Untrusted Cloud Storage Game Underlying assumptions
n Data replication rate is specified in SLAs • Usually not covered in a cloud storage service provider's SLA
➡ Rather provide guarantees in terms of uptime, or allowed number of retries, or how long a read request can take to be serviced
➡ Offer some sort of tiered credits the users if the guarantees are not satisfied
• May be negociated in the case of storage backup or cloud archive services ➡ Possible definition of precise retention policies
n User is allowed to access to different copies of same data • May be necessary to check geographical location of data
01/02/17 Data Integrity Verification Game in Cloud Storage 18
Institut Mines-Télécom
Untrusted Cloud Storage Game Background: Integrity verification of outsourced data
n Usual techniques for integrity control • Hash functions, error-correcting code, checksum, … ➡ … not suited for intentional modification of data !
01/02/17 Data Integrity Verification Game in Cloud Storage 19
D Hash(D)
Audit
Hash(D)
User Cloud storage
No detection of modification
Hash(D)
D: Data
Institut Mines-Télécom
Untrusted Cloud Storage Game Background: Integrity verification of outsourced data
n Need for a new cryptographic primitive ➡ Integrity checking challenge response protocol
01/02/17 Data Integrity Verification Game in Cloud Storage 20
• Metadata may also be outsourced • Verification may be delegated to a
third party auditor (TPA)
Institut Mines-Télécom
Untrusted Cloud Storage Game Background: Integrity verification of outsourced data
n A naive scheme
01/02/17 Data Integrity Verification Game in Cloud Storage 21
• Requires large metadata size • Consumes too much bandwidth
and computation • Verifications limited to the number
of precomputed hash values
Institut Mines-Télécom
Untrusted Cloud Storage Game Background: Integrity verification of outsourced data
n A simple protocol based on DLP [Deswarte & alii, 2004] • Metadata: Tag computed using an homomorphic function
01/02/17 Data Integrity Verification Game in Cloud Storage 22
Deswarte, Y., Quisquater, J.-J., and Saïdane, A.. Remote Integrity Checking. In Proceedings of 6th Working Conference on Integrity and Internal Control in Information Systems (IICIS), 2004.
“d”: data “T”: tag (metadata) “C”: challenge “R”: response “n”: RSA modulus “r”: random integer “DLP”: discrete logarithm problem
Storage provider
Verifier
d
C=gr mod n
R=Cd mod n
Tr = Cd?
F(d) T=gd mod n
DLP problem à security
Institut Mines-Télécom
Untrusted Cloud Storage Game Background: Integrity verification of outsourced data
n Two main approaches for data verification schemes • Deterministic protocols: checks entire data • Probabilistic protocols: randomly checks blocks of data
➡ reduce the computing time of verification
01/02/17 Data Integrity Verification Game in Cloud Storage 23
[Ateniese & alii 2011] Ateniese, G., Burns, R., Curtmola, R., Herring, J., Khan, O., Kissner, L., ... & Song, D. (2011). Remote data checking using provable data possession. ACM TISSEC, 14(1), 12. [Juels, Kaliski 2007] Juels, A., & Kaliski Jr, B. S. (2007, October). PORs: Proofs of retrievability for large files. In Proceedings of the 14th ACM conference on Computer and communications security.
n Main efficient verification schemes • PDP (Provable Data Possession) [Ateniese & alii 2011]
─ Minimize bandwith • POR (Proofs of Retriability) [Juels, Kaliski 2007]
─ Ability to recover corrupted files by using error correcting codes
n Other features • Public verification • Management of dynamic data • Verification of multiple copies of a data
Institut Mines-Télécom
Untrusted Cloud Storage Game Contributions
n Define a basic model • Static game with deterministic verification protocol • CP stores only one copy of the data
01/02/17 Data Integrity Verification Game in Cloud Storage 24
n Study different extensions of the model • Static game with probabilistic verification protocol • Dynamic game with deterministic verification (Stackelberg game) • Extension where CP stores multiple copies of data
n For each model : • Prove the existence of an attractive data set on which both attacker
and verifier should focus exclusively • Find the Nash Equilibrium • Analyze the results in terms of expected behaviours & deduce
guidelines for optimal TPA data checking
Institut Mines-Télécom
Untrusted Cloud Storage Game Static deterministic verification basic game
n Non-cooperative game n Two rational players
• Attacker (CP) • Verifier (TPA)
n Two actions per player for each data : • Attacker : Not replicating / Do nothing • Verifier : Check data integrity / Do nothing
n Strategies: distribution of attack/verification resources • For each data Di, the attacker decides to not replicate (delete) data with
probability pi, and the verifier checks data with probability qi
• Available resources for attacker (resp. verifier) : P (resp. Q)
• Resource constraints: and
01/02/17 Data Integrity Verification Game in Cloud Storage 25
Lin Chen and Jean Leneutre. A game theoretical framework on intrusion Detection in heterogeneous networks.IEEE TIFS, 4(2):165-178, 2009
qii=1
n
∑ ≤Q ≤1pii=1
n
∑ ≤ P ≤1
Institut Mines-Télécom
Untrusted Cloud Storage Game Static deterministic verification basic game
n Game parameters • Amount of data stored at the CP : N • Financial storage cost of data Di (proportional to its size) : Si≥0
• Financial value (integrity level) of data Di: Fi
• Overall TPA probability of detecting fraud when checking data : a ─ a = 1 for deterministic verification protocols ─ a < 1 for probabilistic verification protocols
• Verification processing costs for CP: Cs Si with 0≤Cs≤1 • Verification processing costs for TPA: CT Si with 0≤Ct≤1
01/02/17 Data Integrity Verification Game in Cloud Storage 26
Institut Mines-Télécom
Untrusted Cloud Storage Game Static deterministic verification basic game
n Assumptions • Cost related to network communications both on the CP and TPA
sides are ignored • Possible storage flaws of an honest CP are out of scope of this
model • The probability of data corruption remaining undetected by the TPA
after a check is neglected, even when using a probabilistic protocol ─ Each players aims at maximizing his payoff
• TPA verification processing costs are taken in charge by the TPA • CP verification processing costs are taken in charge by the TPA
(resp. CP) when verification leads to a positive (resp. negative) result
01/02/17 Data Integrity Verification Game in Cloud Storage 27
Institut Mines-Télécom
Untrusted Cloud Storage Game Static deterministic verification basic game
01/02/17 Data Integrity Verification Game in Cloud Storage 28
Data Di
Attack probability pi
Checking probability
qi
Cost of storage Si
Financial value Fi
Cost of verification (TPA)
Ct Si
Cost of executing verification (CP)
CS Si
CP \ TPA Check Not check Replicate 0, -Ct Si – Cs Si 0, 0
Not Replicate – Cs Si – Si, – Ct Si + Fi Si, -Fi
n Utility functions of static game for deterministic verification
TPA payoff:
CP payoff:
and Ressource constraints:
Institut Mines-Télécom 01/02/17 Data Integrity Verification Game in Cloud Storage 29
Movie S=15 Compressed
file S=11
Compressed file S=5
Photo S=3
Text S=2
Text S=1
Audio S=7
n Data distribution • Does a rational attacker (CP) attack all data ?
Existence of an Attractive Dataset Actually, a rational attacker will only attack data with large enough sizes Si
Guideline 1: A rational defender has only to verify data in the attractive dataset
Untrusted Cloud Storage Game Static deterministic verification basic game
Institut Mines-Télécom
n Solving the game • The existence pf NE depends on the ressource constraints • Value of NE when all resources are used by both players,
01/02/17 Data Integrity Verification Game in Cloud Storage 30
(Attractive dataset)
Guideline 2: Verification resources to data should be allocated accordingly to the values of qi*
Untrusted Cloud Storage Game Static deterministic verification basic game
Institut Mines-Télécom 01/02/17 Data Integrity Verification Game in Cloud Storage 31
Defender (TPA) Attacker (CP)
-0.13976 -0.34721 -0.61456
Table 1: Payoff at the Nash Equilibrium (NE)
Table 2: Payoff Degradation due to deviation from NE
Number of data
n=20
TPA random strategy
CP best response
TPA best & maximum gain
TPA average gain
TPA minimal gain
Untrusted Cloud Storage Game Static deterministic verification basic game
Institut Mines-Télécom
Untrusted Cloud Storage Game Stackelberg deterministic verification basic game
n Players have sequential interaction • the move of one player is conditioned by the move of the other
player n Stackelberg Game principle
• The leader L moves first • The follower F observes the leader’s choice, then chooses his
strategy
n Backward induction • Follower’s problem: for every strategy sL of L, F computes
sF(sL)= argmax UF(sL,sF)
• Leader’s problem: F computes sL(sF)= argmax UL(sL,sF(sL))
• Subgame perfect equilibria or Stackelberg-NE
01/02/17 Data Integrity Verification Game in Cloud Storage 32
sF∈ SF
sL∈ SL
Institut Mines-Télécom
Untrusted Cloud Storage Game Stackelberg deterministic verification basic game
n Players have sequential interaction: the move of one player is conditioned by the move of the other player
n Stackelberg Game principle : • The leader moves first • The follower observes the leader’s choice, then chooses his
strategy n Three cases analyzed :
• Case 1: Leader: CP, Follower: TPA • Case 2: Leader: TPA, Follower: CP • Case 3: Lead of Follow
─ Which strategy will be better for both TPA & CP ? ─ Actually, Case 1 corresponds to the best strategy for both
01/02/17 Data Integrity Verification Game in Cloud Storage 33
Guideline 3: TPA should choose the follower strategy in order to maximize his payoff, while leader is the best strategy for the CP
Institut Mines-Télécom
Untrusted Cloud Storage Game Game with multiple data copies
n Multiple copies of the same data on the CP servers • Parameters : same than generic game plus
─ Number of copies of data Di: Ri
─ Reward the CP gets if he acts honestly: εFi (ε≥0)
01/02/17 Data Integrity Verification Game in Cloud Storage 34
CP \ TPA Check Not check Correct/Available copy εFi, -Ct Si – Cs Si 0, 0
Incorrect/unavailable copy – Cs Si – Si, – Ct Si + Fi Si, -Fi
n Strategies • Probability that the CP deletes i copies of data Dm (0≤i≤Rm): pi
m • Probability that the TPA checks i copies of data Dm (0≤i≤Rm): qi
m
Institut Mines-Télécom
Untrusted Cloud Storage Game Game with multiple data copies
01/02/17 Data Integrity Verification Game in Cloud Storage 35
Data Dm Check i copies
Delete i copies
Storage cost
Financial value
Cost of verification (TPA)
Cost of executing verification (CP)
CP reward
n Utility functions of game with multiple copies qi
m Notation: denotes the indicator function
Sm CP payoff:
TPA payoff:
pim
Ct Sm
Fm
CSFm
εFm
Institut Mines-Télécom
Untrusted Cloud Storage Game Game with multiple data copies
01/02/17 Data Integrity Verification Game in Cloud Storage 36
n Two game settings
• Independent strategies game
─ Player’s strategy fo each data does not depend on other data:
─ for each data Dm:
• Correlated strategies game
─ Player’s strategy for each data depends on strategies for other data:
─ for N data:
➡ There exists a unique NE for the game with independent strategies ➡ There exists a unique NE for the game with correlated strategies when each player can target several types of data at each instance of the game ➡ If ε>0, there exists a unique NE for the game with correlated strategies when each player can target only one type of data at each instance of the game
Institut Mines-Télécom
Untrusted Cloud Storage Game Game with multiple data copies
01/02/17 Data Integrity Verification Game in Cloud Storage 37
n Game with multiple copies and independant strategies
Institut Mines-Télécom
Untrusted Cloud Storage Game Game with multiple data copies
n Estimation of the parameters • Number of Backup copies Rm: specified in the SLA • Storage cost Sm: can be deduced from the size of data based on [Chen & Sion, 2011] • Verification costs parameter Ct & Cs: benchmarks from verification protocol
implementations and cost of CPU cycles from [Chen & Sion, 2011] • Financial value of Data Fm: deduced from the application of a risk assesment
method
n Perspectives • Extension to an infinite repeated game • Take into account location requirements for data
➡ Give some guidelines to define an optimal verification strategy for data replication compliance checking
➡ May be used to define “ ALAs (Audit Level Agreements)”
01/02/17 Data Integrity Verification Game in Cloud Storage 38
[Chen & Sion, 2011] Y. Chen and R. Sion. To Cloud or not to Cloud?: musing on cost and viability. 2nd Symp. On Cloud Computing, SOC 2011.
Institut Mines-Télécom
Resource Constrained Network Security Game
n Resource Constrained Network Security games
• N targets in the network to defend/attack • Strategy of each player corresponds to the amount of resources
allocated to attack/defend each target with ressource constraints P/Q • Utilities functions are such that
─ ri, si, ui > 0, and ti ≥0 ─ ri’’, si’, and ui’ < 0 and ti’≤0 ─ ui ≤ ti, si’ ≤ui’
• Theo : If ti-ui ≥ ri-si and ri’-ti’ ≥ si’-ui’, a necessary condition for (p*,q*) to be a NE of a RNCS game is
01/02/17 Data Integrity Verification Game in Cloud Storage 39
Institut Mines-Télécom
Outline
• Introduction
• Untrusted Cloud Storage Game*
• Resource Constrained Network Security Games
• Conclusion
01/02/17 Data Integrity Verification Game in Cloud Storage 40
*Joint Work: with B. Djebaili, Z. Ismail, C. Kiennert (TPT, LTCI), L. Chen (Université Paris-Sud, LRI), D. Bateman (EDF R&D)
B. Djebaili, C. Kiennert, J. Leneutre, L. Chen, Data Integrity and Availability Verification Game in Untrusted Cloud Storage, Conference on Decision and Game Theory for Security (GameSec), Los Angeles, CA, USA, November 2014, LNCS.
Z. Ismail, C. Kiennert, J. Leneutre, D. Bateman, L. Chen, Auditing a Cloud Provider's Compliance with Data Backup Requirements: A Game Theoretical Analysis, IEEE Transactions on Information Forensics and Security (TIFS), 11(8):1685-1699, August 2016.
Institut Mines-Télécom
Outline
• Introduction
• Game Theory
• Contributions
• Game Models
• Conclusion
01/02/17 Data Integrity Verification Game in Cloud Storage 41
Institut Mines-Télécom
Conclusion
n Some limitations when applying game theory to security • Relevance of the game solution (rationality assumption)
─ Need for an experimental evaluation methodology ➡ Take inspiration from [Taylor & al. 2010]
• Uncertainties about the attacker (Complete information vs. Incomplete information) ─ Need to take into account several profiles of attackers ➡ Use of Bayesian Stackelberg games [Taylor & al. 2010]
• High level of abstraction: limited action sets (attack/not attack), simple utility functions, … ─ Definition of appropriate utility functions in term of security ➡ Use more realistic cost-oriented security metrics: Return On Security Investment (ROSI)
[Sonnenreich & al. 2006], Return On Response Investment (RORI) [Gonzalez & al. 2012]
01/02/17 Data Integrity Verification Game in Cloud Storage 42
[Taylor & alii, 2010] M.E. Taylor, C. Kiekintveld, C. Western and M. Tambe, “A Framework for Evaluating Deployed Security Systems: Is There a Chink in your ARMOR?”, Informatica, 2010